The Internet is the primary vehicle for moving sensitive electronic information. Credit card purchases, financial exchanges, bank interaction, credit checking/reporting, health and insurance records, and an enormous volume of other privileged information is constantly being exchanged. (By way of example, FIG. 1A (Prior Art) attached hereto is a schematic diagram showing generally the data flows between and among digital processors configured as servers or hosts (S1, S2, S3) and as clients (C1, C2, C3) via the Internet or other networks, using known communications and networking techniques.) Not surprisingly, such data, traveling from host to host, host to client, or client to host over public networks and equipment, have become a primary target for electronic theft and disruption, typically attempted or accomplished through a process commonly known as “hacking”.
Hacking techniques frequently take the form of denial of services (DOS), resource exhaustion, port scanning, and/or port corruption.
In a denial of services attack, large amounts of valid traffic are generated with the intent of overwhelming the capacity of a network or specific network equipment. An example of this would be sending thousands of ARP requests to a router.
In a resource exhaustion attack, similarly, the attack takes up the resources of the host, server or device under attack, including memory, buffers, registers and the like, until all resources are consumed, and the network connection is never released.
A port scanning attack involves the use of phantom hosts that scan the ports of another host seeking access to applications and data.
Port corruption creates invalid traffic that causes the computer equipment to fail and potentially opening up access to applications and data.
Hacking techniques may take some or multiple forms of all of these types of attacks.
In an effort to combat such attacks, network equipment manufacturers (NEMs) are spending a large percentage, in many cases the majority, of their R&D budgets today implementing intrusion detection systems (IDS). These applications seek to detect, isolate, and limit potential threats introduced by hackers. Accordingly, such applications should have the ability to isolate a single threat from among the thousands of legitimate users and applications in real-time. However, intrusion threats can take a variety of forms, are becoming more sophisticated, and new threats are being discovered on a daily basis. As a result, IDS systems are always “behind the curve”. They can only detect threats that are known, and more particularly, those that have been identified, analyzed and reverse engineered. This means networks everywhere are exposed, vulnerable and subject to a new attack at any moment. Threats are only discovered after the fact, and remedies are developed only after the damage has occurred. The NEMs must use in-house development staffs to manually replicate the threat, developing applications using C, C++, and similar languages. This is a process that can require weeks to complete; first, to research the threat, then to develop the application, and finally to deploy testing throughout the quality assurance effort. This process must be repeated for every threat, by every manufacturer.
NEMs, telecommunication companies, and large scale network providers would benefit from a tool that provides pro-active threat analysis while staying current with the latest hacking techniques. A tool of this type should have a number of high level goals, including the following.
It would be desirable to provide network threat testing methods, systems, devices, appliances and software that can replicate real hacking techniques.
In particular, it would be desirable to provide network threat testing methods, systems, devices, appliances and software that can apply real hacking techniques against network equipment, hosts, and networking infrastructures.
It would also be desirable to provide network threat testing methods, systems, devices, appliances and software that can create a hacking technique without requiring programmatic coding.
Still further, it would be desirable to provide network threat testing methods, systems, devices, appliances and software that can easily replicate a hacking threat within minutes of its discovery (instead of days or weeks).
It would also be desirable to provide network threat testing methods, systems, devices, appliances and software for maintaining an online database of hacking techniques that can be queried in real time.
In addition, it would be desirable to be able to quickly and efficiently distribute these hacking threats to quality assurance organizations.